Hackers Don’t Care About My Small Business. Or Do They?

NetCraftsmen®

For those of you that think professional hackers don’t care about your small business, let me introduce you to Zeus, the number one threat of 2009.  According to SC Magazine:

“Zeus:  Also known as Ztob, this bank credential-stealing trojan is masterfully built.  It is designed to evade anti-virus detection and then sit quietly in the background until victims login to their accounts.  Infections have hit small businesses particularly hard this year, sometimes resulting in individual losses of hundreds of thousands of dollars.” 

“72% of small businesses have no formal internet security policies”

Over the past fifteen years, I have tried repeatedly to educate small business owners about the importance of protecting their information and technical infrastructure.  The number one answer I receive is “Why would a hacker want to come after my small business?”  The answer is very simple “because they can”.  Most SMB’s (Small Medium Business)  don’t think twice about physical security and gladly sign the check every month, however, they have little regard for information security.

Over the past five years, due to compliance and extremely large financial losses, most large companies have realized the value of investing in protecting their information and their assets.  Most large companies have enough of a cash reserve and or insurance to survive an electronic financial theft.  Most of them will even pay the thief to not make the crime public due to the negative publicity.

Now that the bigger businesses are pretty secure and they have very smart people chasing the bad guys, the attention has gone to the small businesses and the home users.

Here is how Zeus works.

First the hackers go after the person at a SMB that is in charge of online banking (sometimes a contracted accountant/CPA).  Then the hackers target this person or their PC with emails and other methods to get them to click on a bad link.  Some of the links are an exact replica of the bank’s online banking web page.  Once the malware has been installed on the computer and the bank account information has been harvested, these bots (automatic applications) that will drain your account in less than 5 minutes.  Once the cyberthieves login to your bank account, the worm will create automated clearinghouse transfers to so  called money mules, individuals recruited via “work from home” scams. 

That’s right, all gone, just like that, and nobody can really help you.  The money is gone outside the country, which is out of the FBI’s jurisdiction.  Typically, the money is laundered through several accounts before ending up somewhere in Eastern Europe, which makes it difficult for even Interpol to track down.

Another quote from SC Magazine: “This is the most advanced banking trojan we have ever seen.  You give up that token (two layer authentication) and within 60 seconds your account is empty.”

After hearing this, most SMB owners (who always have an answer for everything) come back and say “what about my Insurance”.  Bad news, if you fail to protect your network and computers, and not educate your users, it is YOUR fault.  It is similar to not having a monitored alarm system for your store, who would insure you?

What about my anti-virus or anti-malware software you might ask?  Traditional signature-based AV solutions have trouble detecting Zeus because of its encrypted packing algorithm.   Hmmm, still think the cyberthieves are only after the big businesses?  This type of malware is created by some of the best hackers in the world.  If your business is vulnerable, its a matter of time before they get to you.

Can your small business afford to operate without the daily operating funds it needs to continue doing business?   Probably not.

Will your vendors and landlord wait to get paid because they feel bad for you?  Unlikely.

In conclusion, if you are a small business owner,  information security should be at the top of your priority list for 2010, especially if you want to grow your business to the next level. If you are wondering what to do, hire a security consultant who will help you secure your network and educate your end users / contractors.  Remember, if you use a PC tech/geek service, you are going to get your money’s worth.  Do you use just anyone for your finances and bookkeeping or a trusted certified professional like a CPA?

For more information about Zeus, just search Google for “Zeus Malware”.

References:  SC Magazine, December 2009 edition.

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.